Key points to consider

Valid consent to using personal data

The requirements for consent were tightened with the introduction of the GDPR. Clear positive consent is now required. Silence or pre-ticked boxes on your website no longer constitute valid consent from a customer.

You also have to give the customer the right to withdraw their consent at any time. This means that you should allow your customer the right to withdraw consent using the same method that was used to obtain it in the first instance.

Special categories of personal data

Most businesses are already familiar with the concept of ‘sensitive data’ from the previous data protection legislation. ‘Sensitive data’ includes information concerning racial or ethnic origin and health generally. There are other categories of information too, including genetic and biometric data.

Governance

Obligations are now imposed on you to show that you have considered and integrated compliance measures into your day to day practices. This may mean adopting appropriate data protection policies, staff training and appointing a data protection officer. Importantly, you now have to prove you comply with your obligations under the GDPR by keeping appropriate records.

In a significant departure from previous legislation, the GDPR requires you to have formal contracts with any service providers who process personal data on your behalf – and ensure they comply with their obligations under the GDPR. Equally, if you are processing data on behalf of a third party, the GDPR places specific legal obligations on you and make you liable for breaches that you are responsible for.

Right to erasure

More commonly known as the ‘right to be forgotten’, allows data subjects the right to have their personal data erased in specific circumstances – such as where the personal data is no longer necessary for the purpose for which it was originally collected or processed.

Data breach notification

If you accidentally or unlawfully destroy, lose, alter, disclose, or give access to, personal data a requirement to notify the Information Commissioner’s Office will be triggered depending on the nature of the breach. You may be tempted not to notify to avoid any bad publicity, however, failure to notify risks an administration fine of up to €10,000,000 or two per cent of the total worldwide annual turnover in the preceding year – whichever is higher.

For the most serious breaches the penalty is doubled to €20,000,000 or four per cent of total worldwide revenues.

About our GDPR solicitors

Our expert lawyers work with businesses to put the best data protection systems in place to comply with the GDPR. Our team drafts detailed compliance policies setting out a business’ attitude to the GDPR and the steps that need to be taken to properly collect, store and safeguard relevant data.

"Outsourcing and IT projects are key areas of expertise at Nelsons Solicitors Limited, particularly in the technology sector, but the group is also adept at advising on software development agreements, licencing and maintenance agreements, and instructions from the e-commerce sector. Data protection law is another string to the team's bow, with advice on General Data Protection Regulation compliance in especially high demand."

Legal 500

For more information about Nelsons’ data protection services for businesses, email us or call 0800 024 1976 for a guaranteed response.

Find out how Nelsons can help you. Contact our friendly team for a guaranteed fast response.

The shareholders of Nelsons Solicitors Limited are also members of Nelsonslaw LLP which under the terms of an exclusive services agreement provides legal services to Nelsons Solicitors Limited. Nelsons Solicitors Limited and Nelsonslaw LLP are both authorised and regulated by the Solicitors Regulation Authority (SRA) (Nelsons Solicitors Limited SRA number: 536939; Nelsonslaw LLP SRA number: 569619). Nelsons Solicitors Limited is authorised and regulated by the Financial Conduct Authority (FCA) (FCA number: 523173). Nelsons’ Notaries are regulated by The Faculty Office. We use the word “partner” to refer to a shareholder or director of Nelsons Solicitors Limited and its use in connection with the business of Nelsons Solicitors Limited should not be construed as an indication that any shareholder or director carries on business in partnership with any other shareholder or director within the meaning of the Partnership Act 1890.

We use cookies to improve your experience of our site (we do not track your identity). To comply with the new e-Privacy Directive we need to seek your consent to set these cookies. If you do not make a selection, we will assume that you consent to the cookies being set. Find out more.Accept